Cisco ASA 5505

Answered Question
Jul 31st, 2008
User Badges:

Hi, We have deployed ASA 5505 in our production network and using 1 MB dedicated ISP line and now going to upgrade 6 MB. As I think that Cisco ASA doesn't support IPS feature so I would know is there any problem we can face in future as per security concerned. All other models of ASA has IPS feature but through Cisco ASA 5505, is it possible that our organisation network not fully secured. Please suggest...Thnaks

Correct Answer by dhananjoy chowdhury about 8 years 11 months ago

Hi,

In this case it is difficult to say Yes or No.

Instead I would say yes, because there could be many vulnerabilities / exploits over SQL port which are not in my knowledge or may be the experts. Everyday lots of new vulnerabilities are being discovered, so you cannot be sure that you are 100% secure.


Considering your case you have only SQL port allowed from Web server to the DB server, now if the attacker has exploited a script (ASP/JSP) which connects to the DB, he can easily play with the data on your Db server and so on.


With ASA 5505, its not supported.

You can go for AIP module with ASA 5510 and above. Check this page for more details.


http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Thu, 07/31/2008 - 20:00
User Badges:
  • Green, 3000 points or more

You're correct only ASA5505 does not support IPS modules, I think it all comes down to how you engineer your security parameter with respect to inside private network, separate public access server farms from your inside network such as DMZs, for sensitive networks from within inside network provide them with private vlans , yes with firewall you have protection, you can however provide another layer for filtering using a router in front of firewall, also implement some type of syslog server to capture fw logs for analysis, firewall logs can be long but that is what we all have to check and look for blocked threads.



http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml



HTH

Jorge

nikuhappy2010 Thu, 07/31/2008 - 20:19
User Badges:

With ASA 5505, how much the network can be secured in % without IPS. Is it possible for the hacker to do something wrong and use the network resources without IPS. As I am sure I have implemented all configuration which seems fine in security terms. With the current scenario and I replace FW into 5510 then what would be the difference between current network and 5510 FW network in security terms. Please suggest...

dhananjoy chowdhury Fri, 08/01/2008 - 23:15
User Badges:
  • Silver, 250 points or more

Suppose this is the scenario,


You have a Web server in your DMZ and you have allowed http access to this web server from th Internet.

Now on your ASA firewall, you have access list allowing http traffic to the Web server.


So from the firewall point of view you have restricted the access only on http/port 80.


Now may be your web server is misconfigured, vulnerable to SQL injection attacks,

may be there are some loopholes in the published web pages (ASP/JSP etc.), and so on. The attacker may make use of any of these vulnerabilities to knock down your web server via the http port.


In this case to detect / prevent this kind of attacks you need IPS.


So I would say both FW and IPS are required to be deployed in your network to make your network more

secure but I would not say 100% secure.


Hope this helps.

nikuhappy2010 Fri, 08/01/2008 - 23:47
User Badges:

Thanks I appreciate...Well, the all web servers are in DMZ Zone and the DB Server are located in the inside network. Now is it possible that hacker could do something wrong via Web to DB. We have just opened sql port to access from web to DB. We have already placed ASA 5505 into production, now is there any way so that we use IPS feature as well. Thanks

Correct Answer
dhananjoy chowdhury Sat, 08/02/2008 - 00:23
User Badges:
  • Silver, 250 points or more

Hi,

In this case it is difficult to say Yes or No.

Instead I would say yes, because there could be many vulnerabilities / exploits over SQL port which are not in my knowledge or may be the experts. Everyday lots of new vulnerabilities are being discovered, so you cannot be sure that you are 100% secure.


Considering your case you have only SQL port allowed from Web server to the DB server, now if the attacker has exploited a script (ASP/JSP) which connects to the DB, he can easily play with the data on your Db server and so on.


With ASA 5505, its not supported.

You can go for AIP module with ASA 5510 and above. Check this page for more details.


http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html



Actions

This Discussion